Where to Start : Securing Ubuntu.
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Where to Start : Securing Ubuntu.

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Where to Start : Securing Ubuntu.

    Greeting's

    I have already installed Ubuntu 6.06 on my PC. It also has Windows XP (fully patched) on it. My question is simple :

    Before I go online for the first time using Linux (which is about 9 days from today) what are the steps that I should take to Secure it.

    I will be googling for the same but I prefer input from members here..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    872
    http://www.grsecurity.net/

    grsec kernel patch. Pretty much all you need. Yes, its that good. ;p


    edit: that and a good iptables script.
    ...This Space For Rent.

    -[WebCarnage]

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I'm going to disagree with WebCarnage....

    I don't think you need grsec... I don't think any daily usage, surf the net machine needs grsec... If you want to play with it sure... but it's not necessary... I also don't think an iptables script is needed... If you're behind a NAT device (home router) then the script is useless... secondly you don't want to rely on a firewall to protect you.... What you should do is determine what services you'll require (Do you want a web server, or ssh, or postfix (which generally runs by default on Ubuntu)..if you don't want it... disable it from starting)...

    Besides disabling unnecessary services and installing the updates, out of the box you're generally pretty good to go....

    Another option if say you do want SSH or a WebServer and want to limit access... rather than relying on iptables... I prefer hosts.allow and hosts.deny... You should be able to find decent howtos on the net to walk you through them.

    Peace
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    872
    Originally posted here by HTRegz
    I don't think you need grsec... I don't think any daily usage, surf the net machine needs grsec... If you want to play with it sure... but it's not necessary... I also don't think an iptables script is needed... If you're behind a NAT device (home router) then the script is useless... secondly you don't want to rely on a firewall to protect you.... What you should do is determine what services you'll require (Do you want a web server, or ssh, or postfix (which generally runs by default on Ubuntu)..if you don't want it... disable it from starting)...

    Besides disabling unnecessary services and installing the updates, out of the box you're generally pretty good to go....
    So what happens if somebody gets an 0day and uses it on one of his open (fully patched and updated) services?

    With grsec he'd have an unexecutable stack, so a good 60-70% of 0days just fail automatically.

    Just because you don't need an iron lock on your door doesn't mean you should choose to use it...


    until you regret having your house broken into...


    But yeah, hosts.allow and hosts.deny is awesome and you should learn to use it, aswell. And I disagree with HTRegz, you do need a firewall to protect you. Sure you can have only one or two services up, but will they automatically drop requests from a certain IP after it somehow detected some sort of malacious activity? I don't think those features are built into sshd, or httpd - however a firewall is made specifically to monitor weird traffic. So use it.

    If you're really paranoid, build your own router/NAT. or at least put one inbetween the internet and your network.
    ...This Space For Rent.

    -[WebCarnage]

  5. #5
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,696
    Originally posted here by [WebCarnage]
    So what happens if somebody gets an 0day and uses it on one of his open (fully patched and updated) services?

    With grsec he'd have an unexecutable stack, so a good 60-70% of 0days just fail automatically.

    Just because you don't need an iron lock on your door doesn't mean you should choose to use it...


    until you regret having your house broken into...


    But yeah, hosts.allow and hosts.deny is awesome and you should learn to use it, aswell. And I disagree with HTRegz, you do need a firewall to protect you. Sure you can have only one or two services up, but will they automatically drop requests from a certain IP after it somehow detected some sort of malacious activity? I don't think those features are built into sshd, or httpd - however a firewall is made specifically to monitor weird traffic. So use it.

    If you're really paranoid, build your own router/NAT. or at least put one inbetween the internet and your network.
    Within the context of 0days...

    Remove the path to root. Bind services to ports >1024 and use NAT redirection to match them to their "official" ports. This will allow you to run the service as a much less priveleged user.

    Security is not just about keeping bad stuff out, you also need to take steps to mitigate the scope of any compromise.
    Real security doesn't come with an installer.

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    872
    Originally posted here by Synful
    Within the context of 0days...

    Remove the path to root. Bind services to ports >1024 and use NAT redirection to match them to their "official" ports. This will allow you to run the service as a much less priveleged user.

    Security is not just about keeping bad stuff out, you also need to take steps to mitigate the scope of any compromise.
    Also another nifty thing to do would be to change the banners for all the services you run to something that you don't run.
    (ie. running thttpd but changing the banner to make it seem as if you're running Apache, or running the latest sshd, but changing the banner to make it seem as if you're running some outdated, possibly vulnerable, sshd). This will probably weed out 99% of all attacks. And you can configure your Firewall to pick up any requests specifically for these faux-services.
    ...This Space For Rent.

    -[WebCarnage]

  7. #7
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,696
    Security through obscurity, but definitely a fun excercise.

    If nothing else, you can **** with the skiddie's heads.


    Heh... make sure to make it look extra vulnerable.
    Real security doesn't come with an installer.

  8. #8
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    I had to drink 3 cans of beer just to convince my self I'm reading my own thread.. Wow I must really suck in Linux. Anyway I'll be using it with Windows.. I'm using it to learn more thats it. Nothing more. No server.. No nothing.. I have to Google more I think..

    By the way thank you to everyone for helping.. Except Iptables I couldnt get anything.. lol
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    872
    Originally posted here by ByTeWrangler

    By the way thank you to everyone for helping.. Except Iptables I couldnt get anything.. lol
    Don't let iptables get you down. Guarddog is a GUI frontend for iptables and lets you configure iptables without going through the "hassle" of learning iptables scripting.
    ...This Space For Rent.

    -[WebCarnage]

  10. #10
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    I would agree with WebCarnage, but if you goto the Ubuntu forums and talk about firewalls they all scream about FireStarter http://www.fs-security.com
    meh. -ech0.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •